Bad news for Crucial and its MX500 SSDs, which have fallen victim to a security vulnerability. Using the latest firmware version, an attacker can steal data or execute code on your machine!
MX500: security flaw discovered!
Registered as CVE-2024-42642, this flaw originates in the SSD controller. Via Guru3D, we learn that it is then possible to exploit it by “sending specially crafted data packets to the SSD controller via the host system”. In reality, the problem lies in the way the controller handles incoming data, which can lead to buffer overflows. Behind this, it would be possible to steal data, or even execute malicious code.
All this is not just supposition, since the flaw has been tested and exploited via a Linux distribution Ubuntu 22.04 with standard SCSI drivers. The question remains, however, whether it can be exploited on other systems, such as Windows.
Finally, this flaw seems to concern the M3CR046 version of Crucial SSD firmware. However, this is also the most up-to-date version of the controller. In short, if you’re using an SSD from this series, keep an eye out for updates and download them from the brand’s official website.
